This switch was a problem for Mac admins who wanted to deploy Sophos Enterprise Anti-Virus 9.2.x, as the previously-available installer package had simplified the task of deployment. The new Sophos Enterprise Anti-Virus 9.2.x install application added further complexity by storing many of the installer’s files and other components outside the application in a separate Sophos Installer Components directory.

However, after doing some research and testing, it looks like it is possible to repackage Sophos Enterprise 9.2.x for deployment. For more details, see below the jump.

Sophos’ application can be run from the command line using the InstallationDeployer tool and include both install and remove switches. Here’s how to install and uninstall Sophos 9.x using the Sophos Enterprise Anti-Virus installer application:

With these commands, it’s possible to add the Sophos Installer application and the Sophos Installer Components directory to an installer package and run the needed commands with preinstall and postinstall scripts.

The other part of the puzzle is providing configuration and login credentials, to allow Sophos 9.2.x to communicate back with the Sophos Enterprise console following installation. After working on the problem in his own shop, Tim Kimpton figured out that both of the following files were needed:

/Library/Preferences/com.sophos.sau.plist

/Library/Sophos Anti-Virus/Sophos.keychain

Once I had this information and understood what was going on, here’s how I repackaged Sophos Enterprise Anti-Virus 9.2.x so that it could be deployed via an installer package.

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Post-Installation Behavior section, set On Success: to Do Nothing

In the Options section, check the box for Require admin password for installation.

5. Click on the Scripts tab in your Packages project.

6. Select the Sophos Installer application and the Sophos Installer Components directory and drag it into the Additional Resources section of your Packages project.

7. Select the Sophos.keychain file and drag it into the Additional Resources section of your Packages project.

8. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings.

For this, you’ll need a preinstall script and postinstall script. Here are the ones I’m using:

Preinstall:

Postinstall:

9. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:

sudo chmod a+x /path/to/preinstall

sudo chmod a+x /path/to/postinstall

10. Once completed, add the preinstall and postinstall scripts to your Packages project.

11. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Testing the installer

Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.

You can avoid creating the XML script part if you just use the internal build command by (Assuming you have the sops installer.app in your Desktop) opening Terminal.app and navigate to /Users/yourusername/Desktop/Sophos\ Installer.app/Contents/MacOS then type sudo -s and authenticate then type:

I just worked on a similar approach, but the two Library-Files were not necessary. The URL of the Update-Server are specified in the ESCOSX/Sophos Installer Component/rms/mrinit.conf File. Everything else comes from the Settings off the Sophos Console. So my install-Script just checks if previous Sophos-Installations were around, uninstalls them, then calls the install-binary…….

But the it occured to me that we had to repackage it because installing a .pkg from a share doesn’t work. Now changing that to the .app gives us direct access to the install routine actually makes life easier for us instead of harder. No need for repackaging, just mount the share, install sophos, enjoy a free afternoon.
here goes:

The above procedure is unsupported and unnecessary. Sophos has published articles to apply configuration data to the package and even preload Group Path (so clients don’t flounder in the Unassigned container). Follow: https://sophos.com/kb/119744 for updating and scanning settings. Follow https://sophos.com/kb/119791.aspx for setting Group Path for managed clients.

This no longer seems to work, Sophos AV 9.2.4. Packages builds a pkg, but when installing, gets to Validating Packages and rushes through it and says “Installation Successful”, but nothing is installed?

This Package doesn’t work properly anymore on OS X El Capitan.
You have to manually Disable System Integrity Protection, otherwise you’ll get en error while creating the needed file under /Library/LaunchAgents

I noticed that when i’m running the package with SIP enabled the package says that it was installed successfully, but sophos isn’t installed. When i’m running this package with SIP disabled, everything work’s well and sophos is installed and running.
I’m running the package as admin user.

In the system.log i noticed a line like:
/Library/LaunchAgents/com.sophos.uiserver.plist no such file or directory.

I got the similar issue. my previously created SAV 9.2.8 pkg can deploy and install on client. but i tried to create a new one with SAV version of 9.4.3, the pkg can show installation succuesfully but actually nothing installed. i tried both with and without SIP, all failed to install in real. i m wondering what has been changed on SAV.

This is working great for me thanks. I needed a .pkg as this was easiest to use with my DeployStudio workflow and I don’t want Sophos baked into our base image. Our Enterprise version is 9.2.10, running on OS X 10.11.3.

I was wondering if there are updated instructions for Sophos AV v.9.6.x? They have changed the name of the Sophos keychain, the path for silent install, and also some internal workings of the install that I cannot figure out.

I’ve followed the instructions on this page before to create a 9.4.x package with great success. But, something with 9.6.x has changed…